PinkKite POS Malware Is Small but Powerful

A newly discovered piece of malware targeting point-of-sale (POS) systems has a very small size but can do a lot on the infected systems, security researchers reveal.

Called PinkKite, the POS malware was observed last year as part of a large campaign that ended in December, but was only detailed last week at Kaspersky Lab’s Security Analyst Summit (SAS). Discovered by researchers at Kroll Cyber Security, the malware is believed to have appeared last year for the first time.

Similar to previously observed POS malware families such as TinyPOS and AbaddonPOS, the new PinkKite has a very small size (it is less than 6kb) and uses its tiny footprint to evade detection. Despite this, however, the malware includes memory-scraping and data validation capabilities.

Furthermore, Courtney Dayter and Matt Bromiley, who detailed the threat at last week’s SAS 2018, reveal that PinkKite uses a hardcoded double-XOR cipher to encrypt credit card numbers. It also features built-in persistence mechanisms, and a backend infrastructure that leverages a clearinghouse to exfiltrate data to (POS malware typically sends data to the command and control (C&C) server).

In fact, the PinkKite operators used three clearinghouses (or depots) that the malware sent data to in the observed campaign. These were located in South Korea, Canada and the Netherlands, the researchers revealed.

The use of clearinghouses likely made the data collection easier and allowed operators to distance themselves from the terminals, but it also made the operation very noisy.

For distribution purposes, the attackers likely infected a system and then moved laterally across the targeted company’s network environment using PsExec. Next, the hackers used Mimikatz to extract credentials from the Local Security Authority Subsystem Service (LSASS), and then connected to the compromised systems to steal credit card data via a Remote Desktop Protocol (RDP) session.

The PinkKite executable, the researchers discovered, attempts to pass as a legitimate Windows program and uses names such as Svchost.exe, Ctfmon.exe and AG.exe for that. Different versions of the malware exist, including a whitelist variant that specifically targets processes in a list, and a blacklist iteration that instead ignores certain processes.

After scrapping credit card data from the system memory, PinkKite validates card numbers using a Luhn algorithm. It also employs a double-XOR operation to encode the 16 digits of the credit card number with a predefined key, and stores the data in compressed files that can hold as many as 7,000 credit card numbers each.

Using a separate RDP session, the files are sent to one of the employed clearinghouses. These remote systems collected hundreds or thousands of malware output files, the researchers discovered.

The attackers were stealthy enough to stay under the radar until the targeted organization was alerted on its customers’ credit card data being sold on the black market.

Travis Smith, principal security researcher at Tripwire, told SecurityWeek in an email that, even if this powerful malware family has a little footprint, its size has nothing to do with how it can be detected.

“A change on a static endpoint like a point-of-sale machine will stick out clearly with the proper controls. Application white listing is a quick and very effective way to prevent malware such as PinkKite from being allowed to run on a point-of-sale machine. However, if the adversaries were able to use Mimikatz to steal admin credentials, they could bypass controls such as the built in AppLocker available from Windows. Having layered controls which are designed for both mitigation and detection are key in a successful security architecture,” Smith said.

He also pointed out that the malware’s small size forced it to rely heavily on network communication, which can be prevented and detected.

“Since point-of-sale networks are also fairly static, any communication outside of an established baseline can be considered malicious until proven benign. Utilizing a whitelist set of firewall rules on the point-of-sale network will limit the malware from sending stolen credit cards to adversaries around the world,” Smith concluded.